Lawfare Daily: Juliette Kayyem on the New Critical Infrastructure Memo

[Audio Excerpt]

Juliette Kayyem

There will always be black swan events, but in some ways you're ready for them if you prepare for your generic high consequence events.

Matt Gluck

It's the Lawfare Podcast. I'm Matt Gluck, Research Fellow at Lawfare with Juliette Kayyem, Professor of International Security at the Harvard Kennedy School.

Juliette Kayyem

You want to make our response capabilities as nurtured and mature as our prevention capabilities.

[Main Podcast]

Matt Gluck

Today we're talking about the new national security memo on critical infrastructure, and what it reveals about the U.S. government's efforts to protect its most important domestic systems.

What leads to the release of the kind of document that we're talking about today?

Juliette Kayyem

A lot of interagency discussions. I have been hearing about this document, “National Security Memorandum 22,” for some time. It reflects an update to a similar memorandum by the Obama administration on critical infrastructure. A lot of it, and I don't mean this harshly, it's just the way government works. Some of it is just like belly button, who's in charge and how are we thinking about this. But there are some fundamental shifts in, I think, the Obama administration's orientation substantively. And then bureaucratically really does put the finger on the scale for CISA, the Cyber and Infrastructure Security Agency at DHS, really does reinforce its authority in this realm.

Matt Gluck

So one focus of the memorandum, which I was happy to see because of the conversation that we recently had, was this focus on preparation for disasters instead of just response after the fact. So could you talk a little bit about how the memo shifts left of boom, then you can remind listeners what that concept is?

Juliette Kayyem

Yeah. Thank you for quoting me to me. So I don't want to oversell what's in this memorandum. In particular, I've long thought that more enforceable regulations were necessary for critical infrastructure. But as you said, it does point in the right direction. And so when we talk about boom moments, left of boom is prevention and preparation and protection, things to stop the bad thing from happening. And then right of boom is all is response, recovery and resiliency, after the stuff hits the fan.

So there's a couple of things going on in the memorandum. I think the first is it recognizes physical cyber-attacks in a very meaningful way. So that this disjoint between there's cyber-attacks and then there's physical attacks that's reflected in all sorts of ways in government and the private sector, because I work with both, is really put to rest. And so, the beginning parts of the memorandum really say, look, we know from the ransomware attacks, we know from attacks, incidents like Volt Typhoon, which was basically infiltrating our critical infrastructure, that a cyber-attack is actually a physical attack. And I really like that sort of connectivity that the memorandum really understood. Literally we have, think about the private sector, you have chief security officers and then chief information security officers, as if it weren't the same thing in most instances, or at least in critical infrastructure. So they really do focus on that and then give the lead for what are the consequences of that and how to measure them to DHS, this is at DHS. And I think that's been a long time coming. You can't think that any type of attack on this critical infrastructure is anything but a physical attack.

Matt Gluck

And so this linkage between cyber-attacks and physical attacks marks somewhat of a shift from the prior policy?

Juliette Kayyem

Yes, it does. And the two big fundamental shifts, one of them is, I think, just a greater understanding of connectivity of the two. And then part of that is just we're learning from ransomware attacks and what we know is going on with critical infrastructure, so that it focuses the private sector on the responsibilities to have response plans, and focuses DHS on ensuring, without regulations, but ensuring that they have those plans. I should be clear here—there are some industries that do require them.

But I think the second piece of the memorandum, substantively, was also a statement to the intelligence community, which tends to not want to share because Homeland Security remembers very funky for the intelligence community because there's all sorts of rules as there should be. But sharing intel information with a private industry is difficult, but we have an entire apparatus that exists for this. The private critical infrastructure industry has people who are ready for this. And so, the second piece of the memorandum really focuses on the sharing of the intelligence with the private sector so that they can be ready.

Matt Gluck

I wanted to ask you about that. So the memo has eight guiding principles. One of them is this shared responsibility among federal actors, state actors, local actors, tribal leaders, territorial entities, and the private sector. What does that collaboration look like concretely, day-to-day?

Juliette Kayyem

Yeah literally, I was Assistant Secretary for Intergovernmental, so I know the stakeholders. To understand DHS, it's not like other agencies in the sort of foreign policy warfare, as they say, world. It is predominantly defensive in nature. It has responsibility with little authority. It has to work without chain of command, so it's not like we're talking about a combatant command, right? I used to say there is no homeland, there's just 50 governors, each with their own kingdom. And then it's got territorial, tribal cities and others. And then it has the private sector.

And we're a unique nation to the extent to which our infrastructure is held by the private sector with limited regulatory capacity or with limited regulatory oversight in this space. So the airline industry has lots of oversight. But in terms of, in particular, attacks on critical infrastructure, part of that was just built without us really thinking about it. And that the regular regulations used to be around safety, is an oil refinery emitting gases and the EPA is pissed off, rather than security, which would just be basically protecting the entity from outside influences. That's how we think about it.

So it takes a lot of stakeholder engagement and that means the sharing of information, best practices, carrots with fewer sticks, which is a challenge. Making the market see and understand that the consequences of not doing so. So you can see that with various previous examples that cyber-attacks on pipelines, the cost of ransomware, as well as attacks on the healthcare industry and others. So that you want to sell it as a business necessity rather than just an add-on. And you do that through a variety of means. After the ransomware attack on Colonial Pipeline, which resulted in a pipeline company closing its operations because they didn't know what was happening essentially, or just with precaution, right? It depends on who you talk to, they said precautionary. But that industry got more regulations. In an ideal world, we should be able to do this without doing it critical sector after critical sector. So that's essentially what it looks like.

I think Biden's right in the memorandum that it really does begin with his agencies, which is the shared responsibility because then otherwise the companies can't figure out what their risk and vulnerability is and then how much they should put into this and both prevention planning, but also response planning.

Matt Gluck

Is your sense that at this point, obviously the private sector is not monolithic, but is your sense that leaders in the private sector are starting to take these threats, both cyber and others to critical infrastructure more seriously than they maybe have in the past?

Juliette Kayyem

I do. And people on different sides of ideologies will argue, the market will fix itself and others will say it will take regulations. I think, honestly, the memorandum punts on this a little bit, saying that oversight entities have a responsibility to prioritize establishing and implementing minimum requirements without the White House actually saying what those are. I do. I work a lot with the private sector. I will say some of it is legal liability. A lot of it is reputational, and that's going to drive them.

These are things that companies, really, they can withstand, but they can't withstand too many times. If they get attacked and if they seem irresponsible in how they respond. I always say the companies, especially in the private sector, they're judged based on their vulnerability, the crisis happened, but also then they're judged on their response. And I think that the more that we can show the benefits of preparedness in minimizing the losses—the last time we talked, my mantra is fail safer, in other words, minimizing the losses—the better off we are.

I think too much of our critical infrastructure just isn't integrating the cyber with the physical consequences. So a ransomware attack is an attack on the pipelines. I'm not saying going to war over it, but I'm saying you've got to conceive of it this way because it could make your pipelines or whatever it is vulnerable. But certainly, also that there are techniques that companies can go through to make the assault or whatever it is less bad, in other words. And that's your resiliency. That's what resiliency looks like. So that's where I think that this memorandum gets it right, even though it doesn't have a lot of regulatory teeth. It has, I think, a lot of important statements about how we should all be thinking about this, both in the public and the private sector.

Matt Gluck

One of the other principles is this risk-based approach that you've spoken about and written about a lot. And one of the components of that is prioritizing critical infrastructure that is more closely tied to national security. It would seem to me that most critical infrastructure is national security. So what are the pieces of critical infrastructure that are seen as more closely tied to national security than others?

Juliette Kayyem

I agree with you in one way, or I agree with you on this instance, that a disruption of our critical infrastructure—so think of something even just like water—will be narrated by our enemies to show our vulnerability. So it might not be a sophisticated attack. It's just if you can't turn on the electricity, if you have rolling blackouts, or like whatever it is, it's hard to say that you're showing strength to the outside world. So I do think in all instances, critical infrastructure is that.

But we've talked about this before if your grid—if you can't communicate about where to move assets in a crisis, in other words, if your communications and telecommunications and signal communications are down, everything else becomes a lot harder. So I'm not going to prioritize them, but I certainly know in any generic crisis, if your ability to both absorb information, so you know where to deploy resources, and communicate information to those who are impacted, that's your worst-case scenario.

I will say things I like that seem familiar from what I write and I've written in my book is they are very focused on risk assessments. They are very focused on consequences. I don't mean that as a way to ignore the black swan event and, for people who don't know this, that's the low probability-high consequence event. But as I've written in my books and elsewhere, we really need to focus on consequences that that likelihood is just hard to gauge, especially in an all-hazards world, right? One of the things that the memorandum does is, while you and I are talking in the world of attacks, it actually talks about all threats and hazards. That's key because the wind can bring down a city, the tornado, the waters, anything can bring down a city as well. And so, I like that approach.

So a lot of us in the field are very much focused on your high consequence events. There will always be black swan events. But in some ways, you're ready for them if you prepare for your generic high consequence events.

I sometimes worry that, the pursuit of the black swan event and all of our fabulous scenarios around AI and elsewhere make us forget that there are, as Michelle Walker said, there was just gray rhinos everywhere. We don't need to look for the black swans. There's rhinos, they're gray, they're everywhere and they're scary, right? And we don't need to look for worse.

Matt Gluck

So you mentioned some of these large-scale risks posed by technological change. The memo talks about how certain technological and economic changes have created more interdependencies among different critical infrastructure sectors. So could you first describe what those interdependencies are? And then also if you could address how policy should change because they exist?

Juliette Kayyem

Yes, the perfect example is happening now, I can't believe it's not a banner headline all the time. It's the UnitedHealth Group's Change Healthcare. So in terms of those interconnectivities, I'm gonna tell you a statistic that will be jaw-dropping. A third of Americans now may have had—I'll be careful, there's no proof of it yet—but were potential victims of the data swept up in February's ransomware attack on Change Healthcare. To just take you back, Change Healthcare, you've never heard of before. It is literally the company that serves as the bridge between me and my doctor, my CVS, my everything. It's just like basically your information flow. One would have never viewed it as critical infrastructure because no one's ever heard of it before. We might view healthcare, access to healthcare. So people can't get prescriptions, this is a huge stress on the industry.

So I think what the memorandum is making clear is it's not just your specific targets. It's the companies that are supporting and enhancing the capacity of those targets. And I thought that that was important. It's clearly in light of Change Healthcare. And honestly, this is the other thing, is you gotta get those companies serious because as far as we know now, the ransomware attack was due to a lack of multifactor authentication. The most basic freaking thing. It’s so frustrating. But yeah, that's what brings the system down. It wasn't an attack on a hospital. It was this just sort of bridge network.

Matt Gluck

So a lot of it has to do with the availability of data, is that right?

Juliette Kayyem

Yeah. Yeah. Availability of daily data, situational awareness, and then capacity to respond with as few of losses as possible. I am, as we've talked enough, I've talked enough with you guys that, I just don't live in this world in which I'm hoping that I can prevent all bad things from happening. How I'm going to judge success is, but for the investment, would things have been much worse? That's important to remember. So how can we measure that investment? And that's how we have to begin to measure critical infrastructure response capabilities. We have to assume that they are vulnerable. We should make them less vulnerable, but they will be vulnerable. But you want to make our response capabilities as nurtured and mature as our prevention capabilities.

Matt Gluck

One of the vulnerabilities the memo addresses is the threats posed by foreign actors to our critical infrastructure. So we can think of Volt Typhoon and the presence of CCP-linked actors in our circuits and routers, where they were preparing to potentially wage an attack if the time was right. I've been thinking recently in different contexts. So the U.S. for a while, obviously didn’t see China as the threat that it does today. Now the Biden administration, and even the Trump administration, have been more focused on the threat that China poses. But do you think that there are exploitable loopholes through which Chinese actors might be able to enter our systems that we didn't think about as saliently because we weren't as focused on the cyber threat from China, left over from our old geopolitics? Do you think that is still seeping into our maintenance of our critical infrastructure?

Juliette Kayyem

I think—people will get mad at me. But it's like, all of our focus is on TikTok. I get it. I don't have TikTok for the same reason, I'm sure. Seriously, folks. You think this is the only way that they're trying to amass power through networks and downloads and infiltration? I will say for critical infrastructure, so we have the non-state actor threat. We have the non-man, we have the non-aggressive threat. So you just don't want people to forget about climate and other challenges to it. You have mistakes. But in terms of state actors, we worry about Iran, we worry about North Korea, and we worry about Russia. But obviously, I think if you thought about the non-war conflict between China and the United States, it's going to be in cyber-attacks, in particular, on critical infrastructure.

I want to say clearly, I do not know the answer to this question. But obviously, the Chinese will have some understanding of our capacity in their critical infrastructure. One should never think that just because they're doing it to us, we're not doing it to them. I don't know the answer to that question. I'm just saying what is keeping China from doing this is they just clearly have a sense that we would have some capacity back.

I want to remind people about this because I always find it one of the forgotten successes. There's many—and knock on wood, they'll continue to be in the war—in Ukraine, Russia's attack on Ukraine, remember that NATO was very, very clear that a cyber-attack by Russia on critical infrastructure in any of the NATO countries would be viewed as an Article 5 duty to respond violation. Now, the brilliance of that strategy was they never said what would rise to the level of a critical infrastructure attack. One has to assume something that ruined the waters or that stopped running water in a city or electricity. But I always thought that was something, to the extent the memorandum does talk about international cooperation, there are ways to limit an adversary's capabilities. And I thought that was an interesting one, which is we will view a cyber-attack that has that kind of implications as an attack on us as if you were raining bombs on us.

Matt Gluck

Does that strategic ambiguity exist in our domestic security policy too, outside of NATO, in the critical infrastructure cyber context?

Juliette Kayyem

I'm beginning to answer that question differently now. I'm beginning to think that, did I wake up every night worried about this or that ransomware? Look, the insurance industry has regularized ransomware enough. It's normalized in some way that a company can get insurance for ransomware attack and be protected. My answer to that question now is I worry that there is too much ambiguity now and you're seeing the price increased, but you're also seeing an industry that—it's so weird to say this about a criminal industry—but a criminal industry that used to be semi-reliable, right? In other words, they would get into the system, they wanted a certain amount of money. Once they got that money, they would get out of the system because they wanted reliability that they could go to the next one and the next one would do the same thing. That reliability is gone.

And I think the ambiguity we've been living in about things like ransomware probably should end. We have very few duties of disclosure. We don't have a prohibition on paying it. We've thought that it was something that we could just handle as the normal course of business. And I think that's proving to be wrong.

Matt Gluck

I noticed that the memo discusses the need to integrate security and resilience into our critical infrastructure-related acquisition programs and the evaluation of foreign investment in the United States. But I didn't see any reference to the export of critical infrastructure materials. So why is that? I know that we're very focused on export-related restrictions for military and technological efforts. So why does the government see those as separate from this critical infrastructure issue?

Juliette Kayyem

I think the short answer is because of the dual use aspects of critical infrastructure. So it's like an F-22 doesn't have a dual use. I'm not wondering, what's its civilian usage, right? Where there's lots of materials, assets, knowledge that, in the critical infrastructure world, that is 95% unrelated to security. It might be related to safety, but really doesn't have any international security implications. These are just pipes. Like the pipes just go in the water, right? And so, it is that it's dual use functionality that makes it very difficult.

So compare it to bio, right? Anthrax has no dual use, unless you're looking for a cure for it. But it's not going into the civilian market. So you can heavily regulate what a BioLab 4 looks like or the export or the transport of anything like that. This is not true in critical infrastructure. Honestly, it's like buses, right? When you think about transportation, it's like the dinky MBTA buses that I look at when I ride my bike to work in Boston it's, that's the difference.

Matt Gluck

The memo requires the Secretary of Homeland Security to issue a National Infrastructure Risk Management Plan every two years, which the memo says should focus on risks to individual sectors and also cross-sector risks. What, in your view, would be a successful plan? Or what should a successful plan or an effective plan include?

Juliette Kayyem

I think the most important thing now, it's not that nascent, but the relatively nascent nature of this, is just really clearly defining the roles and responsibilities of various agencies in the same way in this space that, say, the Homeland Security Presidential Directives did after 9/11. Is this an FBI thing? Is this a DHS thing? Is this a DOD thing? And then, a maybe second wave would be, then begin a regulatory process of more than carrots that would bring these companies to at least a basic floor of not just prevention but also response preparedness should something happen. And so I think that is key.

And then the third piece I guess I would say is that that intelligence sharing component is to make sure that while we're demanding or requesting things of critical infrastructure, we're also delivering what the federal government's value add is, which is, we just know more things on an intelligence side than states, localities, territories, tribes, private sector, especially in critical infrastructure, and to continue to share that.

I think that's what they're trying to do with some of the limitations that we have. I think it's a strong memo. I really like the pieces that we talked about, in particular, about intelligence and the cyber physical changes, the risk focusing on consequences as much as probability and some of the other attributes in it. But it's a challenge to do that in a world that doesn't really have a lot of legislative teeth in it. And that may be the next wave, depending on what happens.

Matt Gluck

Alright. We'll have to leave it there. Juliette, thank you so much for joining us.

Juliette Kayyem

Thank you so much. I'll talk to you soon. I am sure.

Matt Gluck

The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcast by becoming a Lawfare material supporter at lawfaremedia.org/support. You’ll also get special access to special events and other content only available to our supporters. Please rate and review us wherever you get your podcast.

Look out for our other podcasts, including Rational Security, Chatter, Allies, and the Aftermath, our latest Lawfare Presents podcast series on the government's response to January 6th. Check out our written work at lawfaremedia.org.

The podcast is edited by Jen Patja, and your audio engineer this episode was Cara Shillenn of Goat Rodeo. Our theme song is from Alibi Music. As always, thanks for listening.